BREAKING: UNB emails, passwords may have been leaked on the dark web

927

UPDATE: UNB’s IT Services has confirmed that UNB accounts are not affected by this breach but the breach includes UNB accounts and passwords for other services. For example, if you use your UNB email to log into Facebook, it is that password that may be leaked.

A data breach affecting 226 million accounts across more than 23 thousand hacked databases may include UNB emails and passwords.

In November 2020, a data breach named Cit0day was listed for sale on the dark web. The breach includes 23 thousand websites and services, one of which is a UNB server. The leak includes emails and de-hashed passwords. Hashed passwords are encrypted and usually difficult, or impossible, to decipher; de-hashed passwords are the deciphered passwords.

Student notified of leaked email through monitoring service

A recent UNB graduate, who wishes to remain anonymous, received a notification from an identity monitoring service that said his information may have been leaked on the dark web.

“It surprised me and I immediately changed my passwords to all of my accounts. I still use my UNB email account for everything and I am quite concerned. If administrative accounts are leaked, that might put both student’s and faculty’s identities at risk,” the student told The Baron.

President, registrar among leaked accounts

The Baron checked some UNB emails on HaveIBeenPwned, a service used to check if your emails or passwords have been leaked in breaches like Cit0day. Both “President@unb.ca” and “Registrar@unb.ca” returned positive results.

UNB often encourages students and faculty to renew their passwords each year, which minimizes the risk associated with a breach like this. More recently, on January 5, UNB added multifactor authentication to some of its login services, increasing security.

Some sources suggest that, while the leak itself occurred in November of 2020, the data may be a few years old. There is nothing to confirm nor deny this, though.

The breach is likely legitimate

The breach was initially analyzed by an Australian web security consultant, and creator of HaveIBeenPwned, Troy Hunt. Hunt shared his analysis of the data on his blog, who believes the leak is legitimate. Hunt also made a list of the affected servers and websites available on GitHub.

If you are concerned that your information may have been leaked, you can check your email address and passwords at HaveIBeenPwned. This service checks for your information in hundreds of leaked breaches.

UPDATE: No concern for UNB accounts

UNB’s IT Services has confirmed there are no concerns for UNB accounts and that this leak includes third-party services associated with UNB accounts. For example, if you registered for Facebook with your UNB email, that account may be compromised, but not your UNB account itself.

“There is no concern for UNB accounts related to this breach.  The notices for this breach are for individuals that registered for third-party services (Facebook, twitter, etc.) using their UNB email address as the username/email address,” IT Services said in an email. “To be safe, anyone receiving these notices may want to check any of their personal services where they signed up using their UNB email address. Students also have the option of using UNB’s cybersecurity awareness program for more training and to see potential alerts where they have used their UNB email address to sign up for third-party services, as it is integrated with haveibeenpwned.com.”